urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community - Tags - xforce The IBM Software blog promotes thoughtful discussions and perspectives on how software is changing the way we live and do business.72015-07-17T23:37:26-04:00IBM Connections - Blogsurn:lsid:ibm.com:blogs:entry-caaea28e-1f7b-487f-895b-2781bab2fe0dInfosecurity Europe 2013: Day 1 ThoughtsMarcel Santillimsantil@us.ibm.com270002FABMactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2013-04-23T21:32:56-04:002013-07-03T16:00:05-04:00<p dir="ltr">
<a href="http://www-01.ibm.com/software/uk/security/infosec/index.html" style="width: 100%; display: inline-block;" target="_blank"><img alt="IBM Security at Infosec Europe 2013" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/ibm-infosec-uk-europe_2013_day1.jpg" style=" display:block; margin: 0 auto;text-align: center;" /></a><br />
<br />
&nbsp;</p>
<p dir="ltr">
Wow, the end of a great first day at <a href="http://www-01.ibm.com/software/uk/security/infosec/index.html" target="_blank">Infosecurity Europe</a>. Our stand was very bright and impactful and with our industry experts, business partners and action packed agenda, it has been truly engaging day!<br />
&nbsp;</p>
<p dir="ltr">
We had four workshops across the day and below are the key points that I thought were raised.<br />
&nbsp;</p>
<p dir="ltr">
We opened with a packed room to hear Simon Smith, Technical Professional for IBM Security Systems, present the latest IT security trends and risks from the <a href="http://www.ibm.com/security/xforce/" target="_blank">IBM X-Force 2012 Annual Trend &amp; Risk Report</a>.&nbsp; Simon spoke about how from 2011 being the &ldquo;year of the targeted attack&rdquo;, 2012 has been &quot;the explosion of the breach continues.&quot;<br />
&nbsp;</p>
<p dir="ltr">
He then delved into the key findings, including how the exploitation of <strong>web application vulnerabilities rose 14% in 2012</strong> to more than 3,500 known issues and that <strong>43% of all reported vulnerabilities were led by Cross-site scripting (XSS) and SQL injection</strong>.<br />
&nbsp;</p>
<p dir="ltr">
An interesting discussion point within the room was Mobile computing is on track to be more secure than traditional computing by 2014. This has occurred due to the help of emerging technologies to encrypt, containerize and wipe data remotely. For more information on the reports findings, please go to the dedicated website <a href="http://www-03.ibm.com/security/xforce/">http://www.ibm.com/security/xforce/</a>.<br />
&nbsp;</p>
<p dir="ltr">
Next up was Brendan Byrne, Associate Partner and Privacy for IBM, talking about &ldquo;Security Implications of the use of Bigger and Smarter Data.&quot; Brendan started with delving into the topic of Big Data. He described how the explosion of new technologies, new business models being adopted and easier interconnectivity has led to organisations security risk increasing, due to the large amount of data being produced constantly. He then went into detail about IBM Security Intelligence with Big Data use cases, including:<br />
&nbsp;</p>
<ol dir="ltr">
<li>
How an internal compromised system can be detected from multiple data sources through IBM Security QRadar SIEM</li>
<li>
Detection of a malicious subnet<br />
&nbsp;</li>
</ol>
<p dir="ltr">
Brendan closed by identifying what the security challenges of using Big Data are, highlighting to the audience that they must make sure their organisations supply chain are all on the same page when it comes to Information Security.</p>
<p dir="ltr">
Learn more information on the <a href="http://www-03.ibm.com/security/solution/intelligence-big-data/" target="_blank">IBM Security Intelligence with Big Data offering</a> or download this <a href="http://insight.q1labs.com/ExtendingSecurityIntelligencewithBigData.html" target="_blank">Security Intelligence whitepaper</a>.<br />
&nbsp;</p>
<p dir="ltr">
Our afternoon session was kicked off by Stephen Williams, Principle Software Consultant for our business partner Pirean and Jon Harry, a senior IT security specialist at IBM, providing a great analysis of &quot;Identity and Access Management for the modern enterprise.&quot; Stephen set the scene by showing the audience why there is a requirement to move beyond authentication. He described how Identity and access management (IAM) needs to evolve to meet rapid and recent changes in service hosting, user interface design and business requirements.<br />
&nbsp;</p>
<p dir="ltr">
There was an interesting discussion regarding the new IAM requirements, including support for incremental change, support for &lsquo;B.Y.O.D&rsquo; and mitigating the need for &lsquo;role mining&rsquo;, which Stephen discussed why organisations must adapt. Jon then took over and went through <a href="http://www-03.ibm.com/software/products/us/en/subcategory/SWI20" target="_blank">how the IBM next generation identity and access management strategy supports these needs</a>.<br />
&nbsp;</p>
<p dir="ltr">
The final session of the day &ldquo;Thinking like an attacker to make your defences better&rdquo; was held by Neil Warburton, Security Architect for IBM. With people queuing out of the door to get in, we knew it was going to be an inspirational session. Neil immediately grabbed the audience&rsquo;s attention with some staggering facts, including 2,641,350 being the number of security attacks the average company faces per week. The severity and frequency of such attacks immediately caused discussion from the audience and led nicely into Neil&rsquo;s discussion on how an attacker exploits a breach. He started with showing how complex it is for an organisation to track and react to potential security threats and that an attacker usually uses the below 5 steps:<br />
&nbsp;</p>
<ol dir="ltr">
<li>
Break in</li>
<li>
Load Malware</li>
<li>
Expand</li>
<li>
Gather Data</li>
<li>
Exfiltrate<br />
&nbsp;</li>
</ol>
<p dir="ltr">
Neil then highlighted to the audience how they needed to think differently about security by collecting and analyzing everything. The collection of information is just the tip of the iceberg but the key is to analyse the information intelligently. Click here to find out more about <strong><a href="http://www.ibm.com/security" target="_blank">IBM Security</a></strong>.<br />
&nbsp;</p>
<p dir="ltr">
To be updated on what is happening at Stand H80, with our awesome whiteboarding sessions or our four security workshops in room 1 (upstairs) please follow <a href="http://twitter.com/tomkendall1" target="_blank">@tomkendall1</a> and <a href="http://twitter.com/ibmsecurity" target="_blank">@IBMSecurity</a>.<br />
&nbsp;</p>
<p dir="ltr">
If you were unable to come to one of our workshops but are interested in what was discussed above, we will be posting all the presentations on <a href="http://ibm.co/1106Bdy">http://ibm.co/1106Bdy</a>. I look forward to bringing to you my thoughts tomorrow evening from <a href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/ibm-security-at-infosec-europe-2013-day-two" target="_blank">day 2 of </a><a href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/ibm-security-at-infosec-europe-2013-day-two" target="_blank">Infosecurity Europe 2013</a>!</p>
<p dir="ltr" style="text-align: center;">
<br />
<span style="font-size:16px;"><strong><span style="color: rgb(255, 0, 0);">Update</span>: </strong></span><br />
<span style="font-size:16px;"><strong><a href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/ibm-security-at-infosec-europe-2013-day-two" target="_blank">Read&nbsp;my&nbsp;thoughts&nbsp;on&nbsp;day&nbsp;2&nbsp;of&nbsp;Infosecurity&nbsp;Europe&nbsp;2013</a></strong></span><br />
<span style="font-size:16px;"><strong><a href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/ibm-security-at-infosec-europe-2013-day-three" target="_blank">Read&nbsp;my&nbsp;thoughts&nbsp;on&nbsp;day&nbsp;3&nbsp;of&nbsp;Infosecurity&nbsp;Europe&nbsp;2013</a></strong></span></p>
<p dir="ltr">
&nbsp;</p>
<hr dir="ltr" />
<p dir="ltr">
&nbsp;</p>
<p dir="ltr">
<a href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/tomphoto.jpg" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/tomphoto.jpg" style="display: block; margin: 1em 10px 0pt; float: left; width: 120px; height: 120px;" /></a><br />
<span style="font-size:18px;"><strong>Tom Kendall</strong></span></p>
<p dir="ltr">
Tom joined the IBM Security Systems marketing team through the acquisition of Q1 Labs team. He was the EMEA Marketing Team Lead for Q1 Labs and worked on the demand generation and channel partner marketing programmes. Tom moved into the WW Marketing team for IBM Security Systems and has been the lead for Demand Generation in Threat and Security Intelligence, and has taken on the role of the IMT first role for Europe. Before joining IBM, Tom worked for 8 years in the advertising industry in London, working on media strategies for large enterprise clients.</p>
<p dir="ltr">
&nbsp;</p>
<script language="javascript">
location.replace("http://securityintelligence.com/infosecurity-europe-2013-thoughts-and-highlights-from-conference/);
</script>
<meta http-equiv="refresh" content="0; url=http://securityintelligence.com/infosecurity-europe-2013-thoughts-and-highlights-from-conference/">
&nbsp;
Wow, the end of a great first day at Infosecurity Europe . Our stand was very bright and impactful and with our industry experts, business partners and action packed agenda, it has been truly engaging day!
&nbsp;
We had four workshops...002900urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-aa1f96ad-733c-444a-9746-98d411517855Is your application security scanner smarter than a 5th grader?Bryan CaseyBFCASEY@US.IBM.COM270003BSJVactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2013-04-03T15:08:27-04:002013-04-03T15:15:20-04:00
<div><a '="" href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/application-security-scanner-smarter-than-a-5th-grader_ibm-security-xforce-report.jpg
" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/application-security-scanner-smarter-than-a-5th-grader_ibm-security-xforce-report.jpg
" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a>&nbsp; <br></div><h1>XSS vulnerabilities and security technology that thinks more like <i>you</i></h1><div>&nbsp;</div>
<p>Learning about the world around us and then modifying our opinions and actions as we learn more is a skill that we aspire to teach in every classroom, and it is a process that informs how we think about making technology a little bit smarter. </p><div>&nbsp;</div>
<h1>XSS vulnerabilities represent a serious challenge for organizations </h1><div>&nbsp;</div>
<p>In 2012 the number of reported web application vulnerabilities rose 14% YtY, with over 3,500 new web application vulnerabilities disclosed last year. Of these, the two most commonly reported web application vulnerabilities were SQL injection and XSS, with XSS accounting for the majority. According to the <a href="http://ibm.co/xforce12">2012 IBM X-Force Trend and Risk Report</a>, 53% of all disclosed vulnerabilities in web applications were XSS vulnerabilities. <br>
<br>
<a href="http://ibm.co/xforce12"><br></a><a href="http://ibm.co/xforce12" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/download-ibm-xforce-report-security.jpg" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a><br>
<br>
Leveraging XSS vulnerabilities allows an attacker to inject and fold their malicious content into whatever content the compromised website delivers to users’ browsers. Because the content was distributed through a legitimate and trusted source, it has all the associated privileges of that site, perhaps most importantly, access to session and cookie info. This is useful to an attacker because it can provide them with legitimate access credentials, which then allows them to impersonate users. </p><div>&nbsp;</div>
<h1>Helping to keep organizations protected </h1><div>&nbsp;</div>
<p>The increasing number of XSS vulnerabilities has proven to be a sustained trend. Organizations should take some time to consider how well they are defending themselves against the potential exploitation of these security issues. For years, IBM's application security scanning technology has placed highest in 3rd party tests <a href="http://blog.watchfire.com/wfblog/2012/08/the-most-comprehensive-web-application-security-scanner-comparison-available-marks-appscan-standard-as-the-leader.html">(2012 results</a>, <a href="http://blog.watchfire.com/wfblog/2011/08/the-ultimate-web-app-security-scanner-comparison-published-appscan-standard-leads-the-pack.html">2011 results</a>) that have sought to quantify which application vulnerability scanning technology was the most accurate and uncovered the most of these security flaws. </p><div>&nbsp;</div><p>This is also a space where we have continued to push forward and innovate. When we <a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/37901.wss">announced AppScan 8.6 last summer</a>, many of the headlines about the release were about the support for Android applications. However, also within that release was the announcement of our new and improved XSS Analyzer. This was no incremental improvement either, this was a huge step forward in how automated software can detect XSS vulnerabilities. <a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40403.wss"><br></a></p><div>&nbsp;</div><p><a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40403.wss">[Read more about the latest AppScan release, security for iOS applications]</a></p><div>&nbsp;</div><p>Anyone familiar with this space knows that actually exploiting a XSS vulnerability typically requires finding ways to understand and creatively work around any input validation mechanisms. Input validation mechanisms make it more difficult for an attacker to drop his or her own code into a web application, code that the victim’s browser recognizes as a command and then runs. Validating these inputs is essentially a way to make sure your application can only be used to do the things you've designed it for. </p><div>&nbsp;</div>
<h1>Security technology that thinks more like you </h1><div>&nbsp;</div>
<p>Traditional scanners send a few dozen generic requests from a fixed list of potential exploits when looking for XSS vulnerabilities. These would be attacks are often unsuccessful because they are not specific enough to the environment, or because they are blocked by input validation. When the scanners get negative answers, they don't learn from them, they don't allow the first request to inform the second. This is something a human penetration tester does intuitively, but human intuition has always been difficult to replicate in computer systems. </p><div>&nbsp;</div><p>Penetration testers today have a much more useful methodology in the way they attempt to find vulnerabilities in applications. They do so by beginning with casting a series of wide nets. At the first hint they might be on the right track they essentially start asking an increasingly more specific sequence of questions and start to close in on the ultimate target. They learn the defense mechanisms of the application and attempt to find a creative workaround that bypasses those defenses. </p><div>&nbsp;</div><p>This is the way <i>hackers</i> think and how <a href="http://blog.watchfire.com/wfblog/2012/07/announcing-xss-analyzer.html" target="_new">automated tools should approach identifying XSS vulnerabilities</a>. It's an approach based on accumulating knowledge, something central to the basic concept of data analysis and, if you wanted to go a step further, learning in general. </p><div>&nbsp;</div><p>This process has been reproduced in AppScan by identifying the context of the vulnerability and then continuing to learn more about the constraints within that context. The questions the tool asks move persistently closer to finding the answer to the question of, "where is the vulnerability in this application?" The process looks generally like this:</p><div>&nbsp;</div><ol>
<li>Begin with an empty set of constraints</li>
<li>Pick from a knowledge base a test that matches all known constraints</li>
<li>Send the test, find its reflected value in the response</li>
<li>If the reflected value is identical to the test, report a vulnerability and finish.</li>
<li>Else: split the test into parts, send them one by one to see which one triggers the input-validation mechanism</li>
<li>Learn a new constraint (based on the results of step 5)</li>
<li>Go to step #2 </li></ol><br><ol>
</ol><div>&nbsp;</div><div><p>If you are more of a visual learner, <a href="http://youtu.be/FFBHLt0HeBw">this YouTube</a> might help you understand the difference in approaches. </p><div>&nbsp;</div><div> </div><br><p>One of the factors that had to come into play for this technology to be successful was a much greater number of potential exploits so there is more specificity to cater to individual environments and varying sets of known constraints. Most scanners on the market today have 100 or so potential exploits, and we are not exaggerating when we say that <i>we have over 700,000,000!</i></p><div>&nbsp;</div><div> </div><br><p>In my head I can hear whole IT organizations leaving work early and maybe quitting their jobs altogether at the prospect of running 700,000,000 tests against an application. Don't worry, not the case at all. On average it takes about 20 requests to locate a vulnerability because each request, and the response to that request, eliminates huge volumes of possibilities. When we do locate a vulnerability, because we use this process and have such a level specificity in the exploits we ultimately send, we also keep false positives extremely low.</p><div>&nbsp;</div><br><div> </div>
<br>
<object height="315" width="420">
<embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/MoHzk9l05pk?hl=en_US&amp;version=3" type="application/x-shockwave-flash" height="315" width="420">
</object><p>As is frequently the case, in application security getting the right answer begins and ends with being able to ask the right set of questions. Please leave your comment below with your thoughts and follow <a href="http://twitter.com/ibmsecurity">IBM Security on Twitter</a> for the latest.</p></div><div>&nbsp;</div><p>
</p>
&nbsp; XSS vulnerabilities and security technology that thinks more like you &nbsp;
Learning about the world around us and then modifying our opinions and actions as we learn more is a skill that we aspire to teach in every classroom, and it is a process...007720urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-aea60732-9dfb-4195-813e-1926220a3fd5New report analyzes and explores latest security threats and trendsMarcel Santillimsantil@us.ibm.com270002FABMactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2013-03-28T14:04:41-04:002013-04-01T09:38:14-04:00<div><a href="/jct03001c/security/xforce/" target="_blank"><img alt="IBM X-Force 2012 Annual Trend and Risk Report" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/ibm-x-force_xforce-report_security-infosec.jpg
" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a></div><div><h1><font color="#dc143c">NEW!</font> IBM X-Force 2012 Annual Trend and Risk Report</h1></div><br><div><p>Twice a year since the late 1990s, <a href="/jct03001c/security/xforce/" target="_blank">IBM’s X-Force Research and Development team</a> releases a trend and risk report including content collected from dozens of thought leaders across the company.&nbsp; Its findings, analyses and predictions come from working with our thousands of clients and leveraging vast database resources of publicly disclosed security vulnerabilities, IP reputations, and details behind historical spam and phishing attacks.&nbsp; The report amounts to required reading for security professionals charged with safeguarding your company’s intellectual property, corporate data and private customer data.&nbsp;</p><div>&nbsp;</div> <br><br><br><p>It’s difficult to summarize all the important content in a single statement; nevertheless, we noticed what we believed to be a central theme associated with achieving the maximum impact by expending the least possible effort.&nbsp; Many of the targets selected were broad in nature, and the tools and techniques used in the attacks amounted to off-the-shelf technology.&nbsp; No need to go to extreme measures when login credentials could easily be compromised on users quickly duped into clicking on bad links or opening malicious code sent via email attachments.</p><div>&nbsp;</div></div><br><a href="http://ibm.co/xforce12" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/download-ibm-xforce-report-security.jpg
" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a> <br><br><div><p>For example, we examined the role of web browser exploit kits and how quickly they appeared after the vulnerabilities were identified.&nbsp; More exploit kits were readily available in 2012, and the primary driver was the Java Content Management System—especially for its add-ons.&nbsp; Despite the availability of patches, attackers took advantage of the infrequency of organizational and individual patch applications to great success.&nbsp; Java also had the unique appeal of being a cross platform and multi-browser attack opportunity.</p><div>&nbsp;</div><br><br><br><p>We also saw increasing sophistication in Denial of Service (DDoS) attacks and the continued effectiveness of SQL Injection and Cross-site scripting approaches leading us to conclude that 2012 was a year where attackers achieved a higher return on their exploit development efforts.&nbsp; Find out more about these important issues by downloading a copy of the<b> <a href="http://ibm.co/xforce12" target="_blank">IBM X-Force 2012 Annual Trend and Risk Report</a> </b>today.</p><div>&nbsp;</div></div><div>&nbsp;</div><div>Follow <a href="http://twitter.com/ibmsecurity" target="_blank">IBM Security on Twitter</a> for the latest news. </div><div>&nbsp;</div><div>- <br></div><br><br><br><br><br>
NEW! IBM X-Force 2012 Annual Trend and Risk Report Twice a year since the late 1990s, IBM’s X-Force Research and Development team releases a trend and risk report including content collected from dozens of thought leaders across the company.&nbsp; Its...006752urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-84a87587-5168-46d7-b1aa-a5c55e5a78b5Preparing for the Big One: Security Intelligence as the Centerpiece of Advanced Threat ProtectionMelissa StevensMELISSAS@US.IBM.COM270005B76Wactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment EntriesLikes2012-10-09T09:24:26-04:002012-10-09T09:26:43-04:00<div><a '="" href="http://images.tap.ibm.com:10001/image/1G3598897.jpg?s=115" target="_blank"><img alt="image" src="http://images.tap.ibm.com:10001/image/1G3598897.jpg?s=115" style=" display:block; margin: 1em 1em 0pt 0pt; float: left; position:relative;"></a><p> This post was contributed by Michael Applebaum, Director of Product Marketing at Q1 Labs, an IBM Company.&nbsp; Connect with Michael on <a href="https://twitter.com/ma08">Twitter</a> and <a href="http://www.linkedin.com/in/michaelapplebaum">LinkedIn</a>.<br><br>
</p><p>Not every security breach is the result of an advanced persistent threat (APT).&nbsp; In fact, only a small fraction probably are.&nbsp; But the industry is buzzing about APT’s today because the business impact of an APT can be massive.&nbsp; Victims of these attacks are keenly targeted, and a successful breach can expose customer data, financial data, intellectual property and other information assets.&nbsp; Recovering from this kind of attack can be a costly and long term challenge, since trust takes years to build, but moments to destroy.&nbsp; Regaining the confidence of customers and other stakeholders is inevitably the most difficult part of recovering.</p></div><br>
<p>Perhaps surprisingly, APT targets aren’t always Fortune 500 corporations and government agencies.&nbsp; It was reported that <a href="http://en.wikipedia.org/wiki/Operation_Shady_RAT">one long-running APT</a> compromised real estate firms, construction companies and even a national Olympic committee.&nbsp; The lesson is that any organization with information of value to others is a potential target.<br><br>In this year’s<a href="https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&amp;S_PKG=ov7304"> IBM X-Force Mid-year Trend and Risk Report</a>, we included a section which explains the nature of APTs, a sampling of tactics employed by APTs, and practical methods organizations can use to protect themselves, including security intelligence and anomaly detection approaches.&nbsp; You can download the full report <a href="https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&amp;S_PKG=ov7304">here</a>, but for now I’ll provide an introduction to security intelligence and how it can help defend against advanced threats.<br><br>
</p><p><b>Do I really need to worry about an APT attack?</b><br><br>
</p><p>Given how many firms have been breached without realizing it, and the persistence of determined and well-funded adversaries, it’s best to assume you will be breached some day (if you haven’t been already).&nbsp; There’s no telling if a truly advanced and persistent attacker will target you, but many organizations are preparing for the worst.&nbsp; That way, even if a less-than-advanced threat puts your firm in its cross-hairs, you’ll be equipped to quickly detect and defend against the attack.&nbsp; This is where security intelligence comes in.<br><br>
</p><p><b>What is security intelligence? </b><br><br>
</p><p>Security intelligence is a new class of solutions that provides unified visibility and real-time analytics across your entire environment.&nbsp; It bridges the numerous information silos that exist – from security and network devices to server operating systems, applications, endpoints and infrastructure resources, plus external threat intelligence.&nbsp; It analyzes more unique types of data to provide a more complete and accurate picture of threats.&nbsp; In doing so, Security intelligence helps you shift your security posture from reactive to proactive, and your visibility from fractured to seamless.<br><br>
</p><p><b>How does security intelligence work?</b><br><a '="" href="https://s-media-cache-ec6.pinimg.com/upload/441141725969352895_BHLtKyVO_c.jpg" target="_blank"><img alt="image" src="https://s-media-cache-ec6.pinimg.com/upload/441141725969352895_BHLtKyVO_c.jpg" style=" display:block; margin: 1em 0pt 0pt 1em; float: right; position:relative;"></a> <br>&nbsp;<br></p><div style="padding-bottom: 2px; line-height: 0px"><br> </div><div style="float: left; padding-top: 0px; padding-bottom: 0px;"><p style="font-size: 10px; color: #76838b;"><br><a href="http://pinterest.com" style="text-decoration: underline; color: #76838b;" target="_blank"></a></p></div><div><a href="http://pinterest.com" style="color: rgb(118, 131, 139);" target="_blank"></a>By consolidating data silos, <a href="http://blog.q1labs.com/2011/08/15/what-is-security-intelligence-and-why-does-it-matter-today/">security intelligence</a> solutions can provide deeper insight into seemingly unconnected or non-risky activity.&nbsp; They correlate and analyze massive data sets to help you distinguish real threats from “noise,” and help reduce false-positive alerts by using more contextual data and smarter analytics. &nbsp;</div><br>
<p>Where security intelligence adds the greatest value in defending against APTs is through anomaly detection.&nbsp; An advanced adversary seeks to breach your environment as quietly as possible and once inside carry out its exploration and data theft without leaving any obvious signs of mischief.&nbsp; To identify this stealthy intrusion, you need to find the subtlest hints of suspicious activity and then analyze as much contextual data as possible surrounding them, to distinguish the “signal” from the “noise”.<br><br>
</p><p>Anomaly detection capabilities establish a baseline of current activity through observation over a period of time, and then alert you to activity that exceeds normal behavior.&nbsp; There are any number of different items you might want to monitor – from <a href="http://blog.q1labs.com/2012/03/29/know-your-users-using-qradar-siem-for-user-activity-monitoring/">user activity</a> to database access to outbound network traffic – all of which can yield rich security insight and provide an early warning signal.<br><br>
</p><p><b>Learn More</b><br><br>
</p><p>To learn 6 best practices for anomaly detection and gain more information about building an APT defense strategy with security intelligence, download the <a href="https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&amp;S_PKG=ov7304">X-Force Trend and Risk Report.</a>&nbsp; It also provides a wealth of other security tips, trends and insights from the IBM X-Force Research and Development team, covering mobile security, BYOD policy and the emergence of Mac malware.<br><br></p>
This post was contributed by Michael Applebaum, Director of Product Marketing at Q1 Labs, an IBM Company.&nbsp; Connect with Michael on Twitter and LinkedIn .
Not every security breach is the result of an advanced persistent threat (APT).&nbsp; In fact,...003759urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-cd5a5da4-807b-4fcb-9644-b71d4798907dAre your passwords as secure as you think?Melissa StevensMELISSAS@US.IBM.COM270005B76Wactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment EntriesLikes2012-10-03T12:45:41-04:002012-10-19T12:28:28-04:00<a '="" href="http://images.tap.ibm.com:10000/image/005961624.jpg?s=115" target="_blank"><img alt="image" src="http://images.tap.ibm.com:10000/image/005961624.jpg?s=115" style=" display:block; margin: 1em 1em 0pt 0pt; float: left; position:relative;"></a> <i>Th</i><i>is post was written by Jason Kravitz,Techline Specialist for </i><a href="/software/tivoli/solutions/security/">Tivoli Security Products</a><i> at IBM.<br></i><div>&nbsp;</div>
<p></p><div>Several <a href="http://www.pcworld.com/article/257045/6_5m_linkedin_passwords_posted_online_after_apparent_hack.html">high profile breaches</a> so far this year have brought some much needed attention back around to the topic of password security. Odd that in the years since the World Wide Web was first founded, the username password paradigm remains relatively unchanged. Technologies, browsers, design and usability have all evolved exponentially, and yet the same authentication methodologies have persisted for nearly two decades. </div><br>
<p>In some ways, we are almost regressing in our ability to protect our private information online. Security questions based on public data, linked accounts which can be recovered through basic social engineering tricks, and password reuse have all served to further destabilize an already flawed system. <br><br>
</p><p></p><div>Attempts at educating users on proper password policy has been limited to a fuzzy stream of seemingly over complicated policies, oversimplified "rules", and increasing characters, symbols and numbers, without much consideration for the implications of a poor password choice.</div><br>
<p><b>Apathy and ignorance</b><br>
</p><p>One prevailing attitude is of general apathy towards preserving private data. So what if my account to the funny cat forum is hijacked, nobody cares what's on my computer, I barely use that social network. Yet many people don't consider that their cat forum password is the same as their webmail and their webmail is connected to an online shopping account where they have one click payment on file. Running up thousands of dollars in credit card charges due to a poor forum password is not something that anyone should need to experience.<br><br>
</p><p>The problems do not lie solely with the users. Recent breaches have also brought attention to the way that websites store that password. While they may be encrypted using some kind of password hashing function, they may not be as protected as previously believed. We have seen that some older widely used mathematical hash functions like <a href="http://en.wikipedia.org/wiki/MD5">MD5</a> and <a href="http://en.wikipedia.org/wiki/SHA-1">SHA-1</a> turn out to be very poor for protecting password information because they are very quick to calculate. This means that when a password database is leaked, attackers can take a list of millions of password hashes and using an off-the-shelf server, recover a huge percentage of the those passwords in plain text in a very short time. <br><br>
</p>
<p></p><div><b>"Best Practices" &amp; technology have made cracking passwords even simpler</b><br></div>
<p>Note that in most cases, attackers are not attempting to guess password by logging into a website repeatedly, but rather take the list of leaked <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function
l">hashed passwords</a>, and run a local program (there are several freely available tools) to attempt to recover the plain text. This process starts by using a source dictionary file that contains a huge number of known words, common phrases, and even passwords leaked from previous breaches. Given the high number of password reuse, it is often possible to recover a large number based solely on existing breached passwords. The software goes through the list of words, runs the same hash function on them that website developers use, and then compare to see if it matches one of the leaked hashes. Given the power of multi-core computers, particularly using the Graphic Processing Units (GPU) found on consumer grade video cards, this can be done at speeds of billions of guesses per second. <br><br></p><p>Consider that there are 57 billion possible combinations of a six character password made up of upper-case or lower-case letters plus numbers. With today's hardware, it is possible to guess every combination in under a minute. <br><br>
</p><p>These recovery tools can also be configured to guess common password rules. These are the same tricks that were once advised as best practices not so long ago. Replace the letter I with a 1, O with a zero, capitalize the first letter and put a number at the end. All of these simple rules make the attackers job much easier as they can reduce the number of possibilities by applying some basic logic. Even longer multi-word passwords that consist of common phrases like song titles, cliches, or quotes are likely to be easily guessed. </p>
<p></p><div><b>Read more in the IBM X-Force Mid-year Trend and Risk Report </b><br></div>
<p>In the latest <a href="/jct03001c/security/xforce/">X-Force Trend and Risk report,</a> we take a look at some password security best practices, both from the perspective of the user, and for website developers. We explore how attackers are using leaked passwords, how developers can improve the security of their stored passwords, and other practical tips for increased protection. <a href="https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&amp;S_PKG=ov7304">Download</a> your copy today and read all about it.<br><br>
</p>
Th is post was written by Jason Kravitz,Techline Specialist for Tivoli Security Products at IBM. &nbsp;
Several high profile breaches so far this year have brought some much needed attention back around to the topic of password security. Odd that in the...004600urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-26b9693e-9bb1-40f0-987a-a52937d482f9Key highlights in the IBM X-Force 2012 Trend & Risk ReportMelissa StevensMELISSAS@US.IBM.COM270005B76Wactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment EntriesLikes2012-09-20T11:34:44-04:002012-09-20T11:34:44-04:00<div><a '="" href="http://images.tap.ibm.com:10001/image/005959624.jpg?s=115" target="_blank"><img alt="image" src="http://images.tap.ibm.com:10001/image/005959624.jpg?s=115" style=" display:block; margin: 1em 1em 0pt 0pt; float: left; position:relative;"></a> <p><b>Today's post is an abstract from the Frequency-X blog, courtesy of Leslie Horacek, <a href="http://www-03.ibm.com/security/xforce/">IBM X-Force</a> Threat Response Manager. &nbsp; To read the full post, please click <a href="http://blogs.iss.net/archive/2012-XFTR-Midyear.html">here</a> and download the report <a href="http://www-03.ibm.com/security/xforce/downloads.html">here</a>.</b><br></p></div>
<p></p><div>&nbsp;</div><div><i>&nbsp;I’m happy to announce that today the IBM X-Force Mid-Year 2012 Trend and Risk report is out the door!<br><br>
<p>If you remember, early in 2011, IBM X-Force declared it the year of the security breach. Enterprises both large and small were targeted.&nbsp; In 2012, the trend has continued and the topic of security breaches quickly rose to the top of discussion lists from board rooms to blogs and to major media. Executives and security professionals around the world have had to assess and understand just how well they might be doing in this combustible environment of attack activity. They continue to ask the hard questions about how to secure an enterprise that is interconnected by means of cloud, mobile, and outsourcing technologies.<br><br>
</p><p>As a security research organization, IBM X-Force has traditionally viewed security breaches with a technical focus. However, we have modified our view of attacks and breaches over time to encompass a greater business context.<br><br>
</p></i><p><i>So let’s dive into those highlights…</i></p></div><div><i>&nbsp;</i></div>
<p></p><div><i><b>&nbsp;New Attack Surfaces with Equal Opportunity Exploits</b><br><br>
<p>Since the last X-Force Trend and Risk Report, IBM’s X-Force has seen an increase in malware and malicious web activities.<br><br>
</p><p>A continuing trend for attackers is to target individuals by directing them to a trusted URL or site which has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. The websites of many well-established and trustworthy organizations are still susceptible to these types of threats. These equal opportunity exploits allow attackers to create a common code base for distributing malware across Windows, Mac, and in some cases even Linux.<br><br>
</p><p>As the user base of the Mac operating system continues to grow worldwide, it is increasingly becoming a target of Advanced Persistent Threats (APTs) and exploits, rivaling those usually seen on Windows platforms.<br><br>
</p></i><p><i>Reviewing the state of Mac malware during the first half of 2012, we observe three major developments.<br></i></p><ul><li><i>First, the utilization of browser-related exploits towards malware installation, which had to that point been a problem exclusive to Windows users.</i></li><li><i>Second is the emergence of Mac Advanced Persistent Threat (APT) malware. X-Force expects Mac APT malware to become more ubiquitous over time. So far, the Mac APT malware is just designed for information theft, though the attackers have leveraged exploits in Microsoft Office for Mac documents as well as Java vulnerabilities to facilitate infection.</i></li><li><i>Third is the emergence of even more sophisticated technology towards anti-reverse engineering and rootkit features, such as in the recent OS X malware, Crisis. <br></i></li></ul>
<p><i>Apple has released additional security features in the most recent version of OS X, Mountain Lion. X-Force, however, will not be surprised if attackers, APT-related or just financially motivated, find ways to continue on the OS X platform.<br><br></i></p></div><div>*** <br></div><div>&nbsp;</div><p></p><div>Jump over the the Frequency-X blog to read the rest of <a href="http://blogs.iss.net/archive/2012-XFTR-Midyear.html">this post</a>, which includes findings about password security, trends in mobile security, BYOD and much more.<br><br></div>Today's post is an abstract from the Frequency-X blog, courtesy of Leslie Horacek, IBM X-Force Threat Response Manager. &nbsp; To read the full post, please click here and download the report here .
&nbsp; &nbsp;I’m happy to announce that today the IBM...003938urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-867d587b-7be0-42ef-a0cf-4356d6481469Improvements in Internet Security amidst the "Year of the Security Breach"Bryan CaseyBFCASEY@US.IBM.COM270003BSJVactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2012-03-22T15:47:11-04:002012-03-22T16:46:14-04:00<div><span style="font-style: italic;">Twice a year IBM's X-Force Research and Development team, in partnership with several other organizations from around the IBM Security team come together to publish data, analysis and operational advice for security professionals and the broader community of internet and computer users around the trends we are seeing in IT security. You can visit X-Force on the web at </span><a href="/jct03001c/security/xforce/">ibm.com/security/xforce</a><span style="font-style: italic;"> and download this report, as well as any of the other threat reports we have published, on the </span><a href="/jct03001c/security/xforce/downloads.html">downloads </a><span style="font-style: italic;">tab of that site.
</span><br><br>
We've been doing the X-Force Trend and Risk Report for many years and for a long time we've been reporting on things that are essentially gloom and doom. The amount of vulnerabilities were steadily rising along with a similar rising trajectory in the number of exploits. While 2011 may not be the last year we ever refer to as "Year of the Security Breach," the security issues we knew existed, and had been seeing grow in significance over the years, really came into sharp focus as a number of somewhat independent variables all collided with one another at the same time.
<br><br>
We've seen APT (advanced persistent threat) articles that date all the way back to 2006, but in 2011 it became a focus in a way it really hadn't been previously. I can't recall how many conversations I saw just on Twitter debating what APT meant, whether "advanced" referred to operational capabilities or technical ones, whether "persistent" meant an attacker would keep attempting to break in until they succeeded or if it meant an attacker invested in doing long-term network surveillance. In addition to these attackers who were invested in silence, you had the more politically motivated hacktivists who were invested in noise. Their campaigns were often based on making sure that a targeted organization wound up in the headlines that day. Much was made about the extent of this group's technical capabilities, but after calling 2011 the "Year of the Security Breach," there isn't much left to be said about their success.
<br><br>
In security it does frequently seem like we wind up in conversations around what was old is new again, and this year actually didn't prove to be much of departure from that. I like to read many of the other threat reports that come out because every one tells a piece of the story from a different angle. However, one theme I'm picking up on from this year is around passwords. Mandiant reported that in 100% of the targeted attacks they investigated the attackers were using stolen, valid credentials. Trustwave just published their report of security breaches and found that over 80% of incidents were due to weak administrative controls, such as bad passwords. In fact, the most common password they found was, "password1." We see some of this same activity but from a different angle. We noticed a dramatic spike in the amount of SSH brute force activity (programs designed to break bad passwords).
<br><br>
This particular challenge was something that came up on a podcast I did today with Tom Cross and Caleb Barlow that covered much of the data new report. You can listen to that full podcast here.
<br><br>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.adobe.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" id="127791" name="127791" height="105" width="210"><param name="movie" value="http://www.blogtalkradio.com/btrplayer.swf?file=http%3A%2F%2Fwww.blogtalkradio.com%2Fitsecurity%2F2012%2F03%2F22%2F2011-the-year-of-the-breach--the-ibm-x-force-threat-report%2Fplaylist.xml&amp;autostart=false&amp;bufferlength=5&amp;volume=80&amp;corner=rounded&amp;callback=http://www.blogtalkradio.com/flashplayercallback.aspx"><param name="quality" value="high"><param name="wmode" value="transparent"><param name="menu" value="false"><param name="allowScriptAccess" value="always"><embed allowscriptaccess="always" flashvars="file=http%3A%2F%2Fwww.blogtalkradio.com%2Fitsecurity%2F2012%2F03%2F22%2F2011-the-year-of-the-breach--the-ibm-x-force-threat-report%2fplaylist.xml&amp;autostart=false&amp;shuffle=false&amp;callback=http://www.blogtalkradio.com/FlashPlayerCallback.aspx&amp;width=210&amp;height=105&amp;volume=80&amp;corner=rounded" id="127791" menu="false" name="127791" pluginspage="http://www.macromedia.com/go/getflashplayer" quality="high" src="http://www.blogtalkradio.com/btrplayer.swf" type="application/x-shockwave-flash" wmode="transparent" height="105" width="210"></object><div style="font-size: 10px;text-align: center; width:220px;"> Listen to <a href="http://www.blogtalkradio.com">internet radio</a> with <a href="http://www.blogtalkradio.com/itsecurity">Caleb Barlow</a> on Blog Talk Radio</div>
<br><br>
We also saw a sustained increase in the amount of shell command injection over the course of the year. Similar to SQL Injection in the way the attack is delivered, shell command injection is delivered through the inputs in web applications. However, while SQL Injection is an attack on the database, shell command injection is aimed at the web server itself. The results of this tactic basically give the attacker control of the web server, at which point they can do a number of different things depending on their motives. This would include using the site to deliver malware, defacing the website or even just taking it down altogether.
<br><br>
All of this came to deliver a year in which security really began to move its way into board level conversations as senior level executives were all wondering if this could happen to them, or worse yet, if it was currently happening to them and they just didn't realize it yet. However, despite the increased focus on security, this is also not an issue that many organizations, to their credit, are just waking up to. In fact, years of hard work and awareness (hopefully through reports like this one and those of our peers) have begun to yield progress in certain areas. First off, many vendors seem to be doing a better job with security. We have noted dramatic improvements in patching coverage and processes over the course of the last 4 years. In 2008, over 50% of all vulnerabilities had no patch and that number is now in the mid 30s. Secondly, using things like sandboxes, vendors are also making it more difficult for exploits to yield any real results, and this is likely one of the reasons why the number of exploits is going down. The number of web application vulnerabilities also went down for the first time since recently reaching 50% of all disclosed vulnerabilities. Today, that number is down to 41%. Why is this such an important stat? Given the sheer volume of new web apps springing up every day, the security with which they are designed, developed and deployed is often questionable. The average developer might not take the time to do something like secure input and output validation to combat the attempts at the various types of code injection I mentioned above. However, a decline in web application vulnerabilities could speak to the larger development community beginning to take the problem more seriously and using security tools and best practices as part of their development processes. While we will need to see this trend sustained over time before we start feeling all warm and fuzzy, it is a positive indicator.
<br><br>
Cloud and mobile continue to be hot topics and the Trend Report has some valuable insight on both. In the mobile space we continue to see a rise in the number of exploits YtY. As more and more employees bring their own devices into the office, the opportunity that these devices represent will only continue to grow. Taking a somewhat different approach than we typically do, the cloud article is not about the technology as much as it looks at the nature of the relationship between consumer and provider and the key considerations organizations need to make, especially around what an exit strategy would look like. It seems cynical to consider the relationship in this manner, but it's best to enter into this marriage planning for divorce. That's not to say that the relationship won't be mutually beneficial for all parties and for a long time, but the consequences of not planning this way are too great.
<br><br>
<object height="315" width="560"><param name="movie" value="http://www.youtube.com/v/rRkacWIqL7w?version=3&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/rRkacWIqL7w?version=3&amp;hl=en_US" type="application/x-shockwave-flash" height="315" width="560"></object>
<br><br>
<object height="315" width="560"><param name="movie" value="http://www.youtube.com/v/MV7H35Etaos?version=3&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/MV7H35Etaos?version=3&amp;hl=en_US" type="application/x-shockwave-flash" height="315" width="560"></object>
<br><br>
While security will never be a solved problem, and new technologies and new attack techniques will always drive this back and forth between attackers and the security community, it is good to see progress being made in some of the areas that are central to computer and internet security even during a year that was defined by breach headlines.
<br><br>
Each of the below videos contain overviews of the report given by Tom Cross, Manager of Threat Intelligence and Strategy, with varying levels of depth. The first is a quick overview while the second is about 15 minutes on the top trends.
<br><br>
<object height="315" width="560"><param name="movie" value="http://www.youtube.com/v/7L3dLKhS7kc?version=3&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/7L3dLKhS7kc?version=3&amp;hl=en_US" type="application/x-shockwave-flash" height="315" width="560"></object>
<br><br>
<object height="360" width="480"><param name="movie" value="http://www.youtube.com/v/mho3VsSEVCs?version=3&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/mho3VsSEVCs?version=3&amp;hl=en_US" type="application/x-shockwave-flash" height="360" width="480"></object>
<br></div>
Twice a year IBM's X-Force Research and Development team, in partnership with several other organizations from around the IBM Security team come together to publish data, analysis and operational advice for security professionals and the broader community of...008963urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00